Encrypted electronic communications
‘Encrochat’ provided an encrypted telephone network that was said to be popular with criminals for its encrypted messaging.
Recent joint police operations in Europe allowed officers to hack into the software resulting in the arrest of 746 suspected criminals in the UK. Across Europe, there have been further arrests as a result of intelligence obtained from the police’s access to the messages sent over a five-month period.
Europol said that the company was “one of the largest providers of encrypted digital communication with a very high share of users presumably engaged in criminal activity”. Users paid £1,600 a month for the device described by the company as “acquisition under conditions guaranteeing the absence of traceability”.
A reference was made to the Court of Justice of the European Union (CJEU) joining several cases, including a legal challenge brought by Privacy International who were challenging the bulk acquisition and use of communications data by the Security and Intelligence Agencies, that is MI5, MI6 and GCHQ.
The Investigatory Powers Tribunal referred Privacy International’s case to the CJEU asked it to decide:
1. whether requiring an electronic communications network to turn over communications data in bulk to the SIAs falls within the scope of EU law; and
2. if the answer to the first question is yes, what safeguards should apply to that bulk access to data.
The CJEU has ruled (6th October 2020) that EU member states need to comply with general principles of EU law such as proportionality, privacy, data protection and freedom of expression. These principles cannot be ignored for national security reasons, although certain derogations may be allowed. The Court referred to a pressing national security threat being able to justify limited and temporary bulk data collection and retention, but only “what is strictly necessary”.
Targeted retention may be allowed, but there must be ‘effective safeguards’ and a review by an independent authority or court, whose decision would be binding.
In the UK the Investigatory Powers Act provides powers to intercept and retain digital communications. The CJEU has now ruled that such bulk powers should be used only in particular circumstances.
The Court ruling went further to say that there may be grounds for overturning criminal convictions based on evidence obtained via illegal surveillance, in EU states with indiscriminate mass surveillance regimes.
A CJEU press release stated, “the Court specifies that the directive on privacy and electronic communications, interpreted in the light of the principle of effectiveness, requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law, in the context of such criminal proceedings, where those persons suspected of having committed criminal offences are not in a position to comment effectively on that information and evidence”.
The UK courts will now need to consider the implementation of the judgment. Whether this will affect the Encrochat prosecutions currently underway remains to be seen.
How can we help?
[Image credit: “communication” by urbanfeel is licensed under CC BY-ND 2.0]